Integration details
A&AI webservices resources and traversal are integrated with AAF through the Cadi filter. The request workflow looks as follows:
Image Modified
- The request is authenticated in AAFTODO: the request should be authorized in the
- futureThe request is authorized through a permission in AAF (see section: A&AI permissions)
- If the request passes all the checks (authentication and in the future authorization), it is forwarded to the A&AI servlet which handles the web services.
...
Users have roles assigned and each role has permissions.
A&AI permissions
...
There will be a separate permission for traversal and resources web services. Let's call these permissions org.onap.aai.resources and org.onap.aai.traversal. For now we will not distinguish between different objects we could affect, so the instance will always be "*" meaning everything. Actions will be mapped to HTTP verbs - GET, PUT, POST, DELETE, PATCH.
For a seemless transition to AAF, the first roles we use for our clients will be called org.onap.aai.resources_all and org.onap.aai.traversal_all with read and write permissionadvanced and org.onap.aai.resources_readonly and org.onap.aai.traversal_readonly with read only permissionbasic. These roles will be assigned to all users/applications which access A&AI web services.
| Role name | Meaning |
|---|
| org.onap.aai. | traversalresources_ | all |
| Permission type | instances | action |
|---|
allread + write access to the resources web service | | org.onap.aai.traversal | * | get | resources_readonlyread-only access to the resources web service |
| org.onap.aai.traversal | * | put | _advancedapplications may issue basic and advanced queries in the traversal web service |
| org.onap.aai.traversal | * | post | _basic | applications may issue only basic queries in the traversal web service |
| Role org.onap.aai.traversal | * | delete_advanced |
|---|
| Permission type | instances | action |
|---|
| org.onap.aai.traversal | * | patchadvanced |
|
| Role org.onap.aai.resources_all |
|---|
| Permission type | instances | action |
|---|
| org.onap.aai.resources | * | get | | org.onap.aai.resources | * | put | | org.onap.aai.resources | * | post | | org.onap.aai.resources | * | delete | | org.onap.aai.resources | * | patch |
|
...
| Role org.onap.aai.traversal_readonlybasic |
|---|
| Permission type | instances | action |
|---|
| org.onap.aai.traversal | ??? | ??? |
|
...
A&AI webservice AAF role and permission
...
script
| Code Block |
|---|
| language | bash |
|---|
| theme | Midnight |
|---|
| title | AAF role permission setup |
|---|
|
#resources read-write role
role create org.onap.aai.resources_all
perm create org.onap.aai.resources * get org.onap.aai.resources_all
perm create org.onap.aai.resources * put org.onap.aai.resources_all
perm create org.onap.aai.resources * post org.onap.aai.resources_all
perm create org.onap.aai.resources * patch org.onap.aai.resources_all
perm create org.onap.aai.resources * delete org.onap.aai.resources_all
#resources read-only role
role create org.onap.aai.resources_readonly
perm create org.onap.aai.resources * get org.onap.aai.resources_readonly
#traversal basic role
role create org.onap.aai.traversal_basic
perm create org.onap.aai.traversal * basic org.onap.aai.traversal_basic
#traversal advanced role
role create org.onap.aai.traversal_advanced
perm create org.onap.aai.traversal * advanced org.onap.aai.traversal_advanced
#adding users to roles
user role add aai@aai.onap.org org.onap.aai.traversal_advanced
user role add so@so.onap.org org.onap.aai.traversal_advanced
user role add sdnc@sdnc.onap.org org.onap.aai.traversal_advanced
user role add dcae@dcae.onap.org org.onap.aai.traversal_advanced
user role add policy@policy.onap.org org.onap.aai.traversal_advanced
user role add sdc@sdc.onap.org org.onap.aai.traversal_advanced
user role add vid@vid.onap.org org.onap.aai.traversal_advanced
user role add appc@appc.onap.org org.onap.aai.traversal_advanced
user role add oof@oof.onap.org org.onap.aai.traversal_advanced
user role add pomba@pomba.onap.org org.onap.aai.traversal_advanced
user role add vfc@vfc.onap.org org.onap.aai.traversal_advanced
user role add demo@people.osaaf.org org.onap.aai.traversal_basic
user role add aai@aai.onap.org org.onap.aai.resources_all #just an example, add role to the correct user
role create
user role add so@so.onap.org org.onap.aai.resources_all
user role add sdnc@sdnc.onap.org org.onap.aai.resources_all
user role add dcae@dcae.onap.org org.onap.aai.resources_all
user role add policy@policy.onap.org org.onap.aai.resources_all
user role add sdc@sdc.onap.org org.onap.aai.resources_all
user role add vid@vid.onap.org org.onap.aai.resources_all
user role add appc@appc.onap.org org.onap.aai.resources_all
user role add oof@oof.onap.org org.onap.aai.resources_all
user role add pomba@pomba.onap.org org.onap.aai.resources_readonly
perm createall
user role add vfc@vfc.onap.org org.onap.aai.resources * get_all
user role add demo@people.osaaf.org org.onap.aai.resources_readonly |
Open questions
...
Open questions